Why isn’t sensitive information encrypted in Australia?
In an article published in The Australian in August 2023, we explore the impact of the recent spate of cyberattacks on national institutions and make the case for a more comprehensive, data-centric, encryption-first approach to cyber security.
More than half of Australia’s population has felt the impact of recent cybersecurity breaches. As inflationary pressures around the world ease, the global supply chain is once again straining under pressure to deliver on time and in volume. This return-to-normal for the consumer is far different behind the scenes.
The pandemic displayed just how important these chains are to national interests, and cybersecurity has become a major focus for (government mandated) investment in the United States. Unfortunately, closer to home, Australia is an evident weak link with its inadequate cybersecurity measures, even in its major banking institutions.
In recent times, cyber attacks of historical magnitude have transpired, affecting millions of customers worldwide. The startling fact is that many of these attacks occurred in Australia, where the cornerstone of cybersecurity – data encryption, i.e. protection – seems to be forgotten.
When breaches are reported, it is often claimed by Australian organisations that their data was indeed encrypted and they are the victims of incredibly sophisticated attackers. At best these are weasel words, at worst outright falsehoods. Cybersecurity is about protecting data, and strong encryption with properly encrypted managed keys ensures that sensitive data is protected, even if it is stolen by the world’s most tenacious hackers.
In any event, while US cybersecurity companies report a surge in growth due to recent high-profile attacks and regulatory intervention, Australia lags. We’ll be forced to play catch-up eventually if we wish to continue being a trusted part of global commerce. The bill will eventually come due.
It’s not for a lack of trying on the part of our regulatory powers. A recent policy audit by the Australian Prudential Regulation Authority (APRA) has revealed worrying gaps in the cybersecurity measures of banks, insurance companies, and other financial service providers.
Despite being regulated under CPS 234 – an industry mandate requiring an information security capability commensurate with vulnerabilities and threats – glaring deficiencies persist. These include incomplete inventories of sensitive information assets, poor control over third-party information security, and inadequate response plans in the case of breaches.
As APRA’s work emphasises, we need a back-to-basics approach to cybersecurity in Australia. Encryption, the backbone of cybersecurity, must be implemented at all stages of the data life cycle – at rest, in use and in motion. Without malware protection, we’re going nowhere fast.
Half a country held to ransom
As we expand our overseas presence and win major global contracts, including through our rapidly-growing subsidiary Votiro, we cannot ignore the domestic market’s vulnerabilities. The question remains: why isn’t sensitive data encrypted in Australia?
In the past year, the number of reported cyber incidents in Australia increased by 13 per cent , affecting major corporations and national institutions. More than half of the country’s population has felt the impact of these breaches through stolen or held-for-ransom unencrypted data.
Looking at the latest OAIC report, notifiable breaches increased by 26 per cent in the second half of 2022. The figures are even more concerning for the healthcare, finance, and professional services sectors. Despite legislative changes and the imposition of severe penalties, few lessons appear to be learned.
For change to take root, more than mere acknowledgment of IT security as a “top priority” is required. Businesses must adopt a proactive approach against ransomware and enforce data encryption at all stages. Greater compliance enforcement is likely a necessary step too.
Australia’s future in cybersecurity lies in reinforcing data protection through encryption. It’s high time we acknowledge the severity of successful data breaches and the impact that they have to our prosperity as a nation.
As global cybersecurity players like Senetas ride the wave of booming global cybersecurity investment, it’s hard not to feel embarrassment that Australia is leaving its backyard unattended.
The need of the hour is a comprehensive, data-centric, encryption-first cybersecurity approach to protect Australian consumers, businesses and institutions alike.
With a stronger focus on encryption, we can turn our domestic market from a vulnerable target into a robust fortress.